Can 'Legit' Spyware Harm You?

Dec. 4, 2007 — -- Nearly every week, consumers are haunted by stories of online-identity theft and that 21st century buzzword that strikes fear in the hearts of Web surfers around the world: spyware.

But not all spyware is created by hackers with nefarious plans to steal your Social Security number; some are produced by legitimate companies for employers, concerned parents and perhaps even suspicious spouses.

But according to experts, all the intent in the world won't keep that spyware from falling into the wrong hands.

When a Philadelphia couple were arrested last week for allegedly using high-tech methods for ID theft, authorities found a simple program in their apartment that can be bought online for less than $100 — the spyware Spector.

Jocelyn Kirsch, a 22-year-old Drexel University student, and Edward Anderton, a 25-year-old University of Pennsylvania graduate, were arrested Friday afternoon at their $3,000-a-month apartment in one of the city's most upscale neighborhoods, Detective Terry Sweeney of the Philadelphia Police Department's Central Detectives Division, told ABC News.

According to Sweeney, in addition to the spyware program, police found two laptops, two PCs and three to four electronic storage drives.

Spector is billed by its manufacturer primarily for businesses. "Record everything they do on the Internet," the site says.

Typically, users can manually download the software onto (ostensibly) their employees' computers. Once installed, it records every keystroke made, every e-mail sent and every Web site visit.

According to Robert Graham, the security executive at Atlanta-based Errata Security, using commercial spyware for more diabolical purposes — such as ID theft — is fairly simple, even for a crook that isn't so technically savvy.

The most typical way to install something like spyware is via e-mail, Graham said.

"The way they would hack is simply e-mail their victims the program and claim it's a software update, pictures of naked Britney Spears or some sort of nonsense in order to get their victims to run it," Graham said. "Once installed, spyware installs a keylogger and [programs] that monitor online activity. Keyloggers are the most important part of spyware because that's what would give them passwords. Online banking sites that advertise themselves as being 'secure' are only secure against somebody eavesdropping on the network traffic, but they are not secure against somebody eavesdropping on keystrokes."

Because a lot of more educated consumers are wary of opening attachments or clicking on links, hackers who know their victims are often more successful, Graham said.

"If you know more about your victim, then it's easier to get your victim to click," he said, because you know what your victim's interests are.

That may have been the case in at least one instance for Kirsch and Anderton. The arrest, which Sweeney described as the proverbial tip of the iceberg, followed a Nov. 19 report by one of their neighbors, who said she feared she had been the victim of identity theft.

The woman, according to police, had received a notice from a local UPS about a package waiting for her from a British retailer that she had never ordered from.

According to Graham, commercial programs like Spector make hacking easier, especially for people who don't know what they're doing.

"[These companies] know perfectly well that 99.9 percent of customers use it for illegitimate reasons. … It puts hacking in the hands of anybody," Graham said. "You can actually buy a lot of products that will hold your hand through the process of hacking."

SpectorSoft, the company that manufactures the software found in the couple's apartment, strongly disagrees with Graham.

According to the company's president, Doug Fowler, SpectorSoft markets to concerned parents and to businesses, not hackers.

"SpectorSoft has never marketed its software as a way to steal from people, to assume another's identity," Fowler wrote in an e-mail. "Any piece of software has the potential to be abused."

Robert Siciliano, the CEO of IDTheftSecurity.com and an identity theft security expert, also takes issue with Graham's attitude, calling products like Spector "a legitimate consumer product."

"There are credible, legitimate reasons for spyware programs," Siciliano told ABC News, citing bosses who don't want employees to goof off, spouses suspicious of affairs and parents worried about their children's online activities.

Instead of spyware manufacturers, Siciliano holds computer users responsible for protecting their information.

"You could also use a gun for hunting or target practice or you could use it to kill people," he said. "It's not the fault of the company who's creating the product if people use it for nefarious purposes."

It's up the consumer to protect themselves with anti-virus software and be aware of transmitting sensitive information over public computers in libraries, hotel business centers and coffee shops.

"If you're going to use these tools of technology you've got to understand the risks associated with them," he said. "Spyware is not the root of the problem. It's people's understanding of the technology, the risks they face and their ability to protect themselves."

The latest study by the Federal Trade Commission indicates that, in 2005, 8.3 million Americans were victims of identity theft. According to the FTC, most victims don't know how their identities were stolen, online or elsewhere.

For Kirsch and Anderton's accusers, only time will tell exactly what happened and how (or whether) Spector was used.

Sweeney estimated that it will take several weeks to cull through all the electronic data discovered, to determine "what's illegitimate on it and what's legitimate on it."

"We're going to have to just surf through it and find out what we've got," he said.